Study Finds Personnel Important Factor in Security

The International Information Systems Security Certification Consortium [(ISC)2] recently announced the results of its third-annual Global Information Security Workforce Study, which was conducted by global analyst firm IDC and sponsored by (ISC)2.

The study polled more than 4,000 information security professionals in more than 100 countries. Foremost among its findings was the conclusion that people and processes are at least as important as technology in securing information — companies handling sensitive information don’t just secure software and hardware themselves but now train toward security.

“You have to have an educated workforce,” said Ed Zeitler, (ISC)2 executive director. “An employee needs to understand that information is valuable. They don’t realize it’s valuable because they handle it every day and, you know, who cares? Well, it is important.”

According to the study, on average, more than 41 percent of information security budgets is spent on personnel salaries, benefits, education and training.

Another of the study’s key findings is that responsibility for IT security is moving into the C-level at many organizations, with executives and board members now sharing more in the accountability for information security and overall risk management.

“A few years ago, the CIO alone was held responsible for information security,” Zeitler said. “The responsibility is rising into the CEO and the board level. It used to be strictly a technical problem, stuck to the CIO to take care of it. Now there’s more to it than just the CIO’s part.”

This has led more companies and organization to create chief information security officer (CISO) positions.

The study also found information security professionals are more likely to be compensated and granted resources at a level commiserate with their emerging importance and the increase in demand for their services. Zeitler noted, however, this is seen more in larger companies.

“A small company typically doesn’t have the infrastructure or pay the salaries required for these high-price guys,” he said. “So you’ll see a smaller company have the information security stuck back down into IT somewhere — that hasn’t changed. A large company pays for the CISO function to really be there, and the salary is in accordance with that.”